Thursday, July 29, 2010

Oracle BPM 11g Integration with ADF and WebCenter Suite - Quick Overview

In May, I was blogging about new Oracle product release - BPM 11g. You can check this post - Oracle BPM 11g Integration with ADF and WebCenter Suite. I'm working now in this area and integrating BPM 11g Human Tasks into WebCenter Spaces 11g. Really good news for BPM people is that now we can create rich SOA type applications, it is possible to bring standard ADF Task Flows and Oracle BPM based ADF Task Flows together into WebCenter Spaces 11g Process Space.

I can access custom ADF Task Flows in WebCenter Spaces 11g, by declaring them and extending WebCenter resource catalog:

My custom ADF Task Flow is present in resource catalog - it brings filterable list of company employees and allows to modify employee details:

Through WebCenter Composer, this custom ADF Task Flow can be easily added to the Oracle BPM Group Spaces page:

From Oracle BPM Group Spaces page user can see and manage assigned BPM Human Tasks. Additionally, our custom ADF Task Flow for Employees data management is available on the same WebCenter Spaces 11g page:

Monday, July 26, 2010

Managing ADF Security Using Oracle Enterprise Manager 11g

Recently I had a long meeting on customer side, to discuss and describe various ADF Security management strategies in production environment. Good news - at the end, everyone left this meeting happy and with correct understanding of benefits given by ADF Security. I will describe how you can manage Application and Enterprise security roles, as well as Permissions, after ADF application deployment on production WebLogic server.

Download sample application - This application contains one Application level role - accountants, for testing purposes it is mapped to Enterprise level role - Accountants:

There is test user defined - dev1, granted with Enterprise role:

Application contains one JSPX page and one ADF Task Flow with fragment. JSPX page is granted to be viewable for any authenticated user:

ADF Task Flow only to accountants Application role:

Sample application is configured not to migrate any users or groups defined inside local jazn-data.xml. This means we will consume users and groups defined in WebLogic server, without uploading those ones from development environment:

After deploying application, I can see there are no users uploaded from development environment, thats what I want:

Now, when deployment is done, we can open application control screen in Oracle Enterprise Manager 11g. There is Security group in the menu - it gives access to application policies and roles. This means we can manage ADF Security directly, even after application was deployed on the server, without redeployment:

I can see two Application Policies defined based on authenticated-role and accountants roles:

We can access Application Role - accountants:

And see details for this role:

Interesting thing, I can still see that Application Role accountants is mapped to Accountants group (Enterprise Role). It should not be visible, because with deployment profile I have declared not to upload any users or groups from development environment. I will try to delete this mapping:

However, delete operation fails with error - such role is not found:

This means it is good practice to remove any mapping between Application and Enterprise Roles in development environment, before doing actual deployment:

After removing role mapping in jazn-data.xml and redeploying, I can see correct picture - no Groups assigned to Application Role:

Now I will switch to WebLogic console, and I will define new Group (Enterprise Role) - FinanceG. This role may come from Active Directory, etc:

I have defined new user on WebLogic server as well - john:

This user is granted with group - FinanceG:

Now its time to open Oracle Enterprise Manager 11g and map FinanceG group with Application Role - accountants:

Through Oracle Enterprise Manager 11g we can browse and assign groups from WebLogic server. All users from FinanceG group, will be able to access resources protected by accountants Application Role:

Login as user john, granted FinanceG group:

Both - page and ADF Task Flow are rendered:

If I would login as user scott, who is not granted with FinanceG group:

Region from ADF Task Flow will not be rendered, thats correct because user scott is not authorized to access this region without accountants Application Role:

Let's say organization security policy is changing and it is not allowed anymore to show Countries page without proper role assignment. You may think, application change and redeployment will be required. However, there is easy way - we can change Application Policies directly in Oracle Enterprise Manager 11g. Open Application Policies screen and select main page permission granted to authenticated role:

Grant this permission to accountants Application Role:

Remove authenticated role from the list:

Application becomes secured completely only by accountants Application Role:

All users from different groups, not mapped with accountants Application Role, will be unauthorized to access application (user scott in this case):

Sunday, July 18, 2010

Redeploy and Version ADF Shared Libraries on WLS

Few days ago I have described how to extract ADF shared libraries from main EAR deployment package into separate WAR library deployment - Deploying ADF Applications as Shared Libraries on WLS. Now its time to tell you, how to redeploy and version ADF shared libraries on WLS. Next blog post will be focused on main site production redeployment. Today I'm describing ADF shared library versioning concepts and why it could be useful in your environment.

Download sample application with ADF shared libraries deployment and versioning scripts - This application is based on developed sample from previous blog post mentioned above.

Let's assume we have our application running on the server, functionality is tested and works well:

There are already two versions of our ADF shared library deployed. Because main site doesn't specify, which version of shared library to use, the latest one will be always used automatically. In this case, it is redsamurai.shared.lib 1.0.1 version:

Now we deploy redsamurai.shared.lib update, version 1.0.2. Developer left one bug in this latest version, test team didn't performed test properly - Save button functionality is broken:

We check deployed shared library versions, you can see 1.0.2 version available - its where new bug was introduced:

However, we saw that Save button was working properly with previous redsamurai.shared.lib release - 1.0.1. This means, we simply can revert back to 1.0.1 shared library version - while development will fix Save button bug. In order to revert to the previous library version, first we need to stop main site deployment, shared library consuming application - UIShell:

When main application is stopped, delete redsamurai.shared.lib 1.0.2 library:

You can start now main application, it will automatically consume latest available shared library version - redsamurai.shared.lib 1.0.1:

Previously broken functionality is fixed - Save button is working well:

Now I will describe how you can increase shared library version and deploy it to WLS server. Developer have updated Departments fragment functionality, by adding new button - Undo:

Because we are using shared library deployment, there is no need to redeploy main site. First, we rebuild ADF library for Departments:

Then we need to increase redsamurai.shared.lib version:

Package all ADF libraries into redsamurai.shared.lib WAR deployment package - use create-shared-lib Ant target:

Shared library WAR archive should be generated now:

Verify generated library version, you can find it in MANIFEST file. This file is inside WAR archive package, it should be latest version - 1.0.2:

Deploy redsamurai.shared.lib to WLS using deploy-shared-lib Ant target. This Ant target is using two wldeploy commands - first it redeploys our shared library with new version and then it reloads main site. We need to reload main site in order to use latest available shared library. Otherwise we would need to restart WLS server in order to pick up latest redamurai.shared.lib library updates:

You can verify library deployments screen, latest shared library should be available:

UIShell application brings latest update in Departments fragment - Undo button:

If latest deployed shared library version is stable, you can remove previous versions from WLS. However, it is good practice to leave at least base version always available on WLS.